Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3255 vulnerabilities reference this CWE, most recent first.

GHSA-9W2C-WW5Q-2RJ7

Vulnerability from github – Published: 2026-01-07 12:31 – Updated: 2026-01-07 12:31
VLAI
Details

The Optional Email plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in all versions up to, and including, 1.3.11. This is due to the plugin not restricting its 'random_password' filter to registration contexts, allowing the filter to affect password reset key generation. This makes it possible for unauthenticated attackers to set a known password reset key when initiating a password reset, reset the password of any user including administrators, and gain access to their accounts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-15018"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-07T12:16:58Z",
    "severity": "CRITICAL"
  },
  "details": "The Optional Email plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in all versions up to, and including, 1.3.11. This is due to the plugin not restricting its \u0027random_password\u0027 filter to registration contexts, allowing the filter to affect password reset key generation. This makes it possible for unauthenticated attackers to set a known password reset key when initiating a password reset, reset the password of any user including administrators, and gain access to their accounts.",
  "id": "GHSA-9w2c-ww5q-2rj7",
  "modified": "2026-01-07T12:31:23Z",
  "published": "2026-01-07T12:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15018"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/optional-email/tags/1.3.11/optional-email.php?marks=44,51#L44"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ff4243e9-cf72-40d5-bc7d-204426024a1d?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9W2P-XFP4-GGC4

Vulnerability from github – Published: 2024-04-29 18:30 – Updated: 2024-07-03 18:37
VLAI
Details

Insecure Direct Object References (IDOR) vulnerability in Hospital Management System 1.0 allows attackers to manipulate user parameters for unauthorized access and modifications via crafted POST request to /patient/edit-user.php.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-28320"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-29T18:15:07Z",
    "severity": "HIGH"
  },
  "details": "Insecure Direct Object References (IDOR) vulnerability in Hospital Management System 1.0 allows attackers to manipulate user parameters for unauthorized access and modifications via crafted POST request to /patient/edit-user.php.",
  "id": "GHSA-9w2p-xfp4-ggc4",
  "modified": "2024-07-03T18:37:23Z",
  "published": "2024-04-29T18:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28320"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/177326/Hospital-Management-System-1.0-Insecure-Direct-Object-Reference-Account-Takeover.html"
    },
    {
      "type": "WEB",
      "url": "https://sospiro014.github.io/Hospital-Management-System-1.0-Insecure-Direct-Object-Reference-+-Account-Takeover"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9W3F-QQH3-W7FC

Vulnerability from github – Published: 2026-02-08 00:30 – Updated: 2026-02-11 00:30
VLAI
Details

WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-25567"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-07T22:16:02Z",
    "severity": "MODERATE"
  },
  "details": "WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user\u0027s identifier.",
  "id": "GHSA-9w3f-qqh3-w7fc",
  "modified": "2026-02-11T00:30:14Z",
  "published": "2026-02-08T00:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25567"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wekan/wekan/commit/67cb47173c1a152d9eaf5469740992b2dacdf62d"
    },
    {
      "type": "WEB",
      "url": "https://wekan.fi"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/wekan-card-comment-author-spoofing-via-user-controlled-authorid"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9W8F-7WGR-2H7G

Vulnerability from github – Published: 2021-12-03 20:42 – Updated: 2021-12-03 15:37
VLAI
Summary
kimai2 is vulnerable to Improper Access Control
Details

kimai2 is vulnerable to Improper Access Control

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "kevinpapst/kimai2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.16.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3992"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-12-03T15:37:45Z",
    "nvd_published_at": "2021-12-01T11:15:00Z",
    "severity": "MODERATE"
  },
  "details": "kimai2 is vulnerable to Improper Access Control",
  "id": "GHSA-9w8f-7wgr-2h7g",
  "modified": "2021-12-03T15:37:45Z",
  "published": "2021-12-03T20:42:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3992"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kevinpapst/kimai2/commit/ff9acab0fc81f0e9490462739ef15fe4ab028ea5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kevinpapst/kimai2"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/a0c438fb-c8e1-40cf-acc6-c8a532b80b93"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "kimai2 is vulnerable to Improper Access Control"
}

GHSA-9W9C-9W8M-W89Q

Vulnerability from github – Published: 2026-05-06 23:22 – Updated: 2026-05-14 20:43
VLAI
Summary
ShellHub has cross-tenant IDOR in `GET /api/sessions/:uid` that discloses SSH session data
Details

Summary

GET /api/sessions/:uid returns the full session object for any authenticated caller, without scoping by the caller's tenant. An authenticated user can read session records (SSH username, device UID, remote IP, terminal type, authenticated flag, timestamps) belonging to any other namespace.

Severity

CVSS 3.1: 7.5 (High) CWE-639

Affected versions

ShellHub Community v0.24.1 (by code inspection — same vulnerable pattern as GetDevice). Not plant-reproducible without an active SSH session, but the flaw is structurally identical and confirmed via static analysis.

Root cause

api/services/session.go:37-44GetSession resolves the session by UID without any tenant filter:

go func (s *service) GetSession(ctx context.Context, uid models.UID) (*models.Session, error) { session, err := s.store.SessionResolve(ctx, store.SessionUIDResolver, string(uid)) // ⚠️ missing: s.store.Options().InNamespace(tenant) ... }

The Authorize middleware only verifies presence of a tenant in the context, not ownership of the requested session.

Proof of concept

Pre-requisite: attacker has any valid user account and has obtained a session UID from the victim tenant (UIDs may leak via logs, shared session recordings, UI URLs, or through the device IDOR in the companion advisory since sessions reference devices by UID).

```bash ATTACKER_TOKEN=$(curl -s -X POST http://target/api/login \ -H 'Content-Type: application/json' \ -d '{"username":"attacker","password":"..."}' | jq -r .token)

# Attempt cross-tenant read curl -i "http://target/api/sessions/" \ -H "Authorization: Bearer $ATTACKER_TOKEN" # Expected (fixed): HTTP 403/404 # Observed (v0.24.1): HTTP 200 + full session JSON ```

Impact

  • Cross-tenant disclosure of SSH session data: target username, device UID, remote IP, authenticated status, session type, terminal, position (geolocation), started_at / last_seen timestamps.
  • Enables reconnaissance of other tenants' active users and systems; combined with session recording features, can enable deeper recon.

Suggested fix

api/services/session.go — apply InNamespace in GetSession:

go func (s *service) GetSession(ctx context.Context, uid models.UID) (*models.Session, error) { tenant := gateway.TenantFromContext(ctx) opts := []store.QueryOption{} if tenant != nil { opts = append(opts, s.store.Options().InNamespace(tenant.ID)) } session, err := s.store.SessionResolve(ctx, store.SessionUIDResolver, string(uid), opts...) ... }

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.24.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/shellhub-io/shellhub"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.24.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44423"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T23:22:39Z",
    "nvd_published_at": "2026-05-13T22:16:44Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n`GET /api/sessions/:uid` returns the full session object for any authenticated caller, without scoping by the caller\u0027s tenant. An authenticated user can read session records (SSH username, device UID, remote IP, terminal type, authenticated flag, timestamps) belonging to any other namespace.\n\n## Severity\n**CVSS 3.1: 7.5 (High)** \nCWE-639\n\n## Affected versions\nShellHub Community v0.24.1 (by code inspection \u2014 same vulnerable pattern as `GetDevice`). Not plant-reproducible without an active SSH session, but the flaw is structurally identical and confirmed via static analysis.\n\n## Root cause\n`api/services/session.go:37-44` \u2014 `GetSession` resolves the session by UID without any tenant filter:\n\n  ```go\n  func (s *service) GetSession(ctx context.Context, uid models.UID) (*models.Session, error) {\n      session, err := s.store.SessionResolve(ctx, store.SessionUIDResolver, string(uid))\n      // \u26a0\ufe0f missing: s.store.Options().InNamespace(tenant)\n      ...\n  }\n  ```\n\nThe `Authorize` middleware only verifies presence of a tenant in the context, not ownership of the requested session.\n\n## Proof of concept\n\nPre-requisite: attacker has any valid user account and has obtained a session UID from the victim tenant (UIDs may leak via logs, shared session recordings, UI URLs, or through the device IDOR in the companion advisory since sessions reference devices by UID).\n\n  ```bash\n  ATTACKER_TOKEN=$(curl -s -X POST http://target/api/login \\\n    -H \u0027Content-Type: application/json\u0027 \\\n    -d \u0027{\"username\":\"attacker\",\"password\":\"...\"}\u0027 | jq -r .token)\n\n  # Attempt cross-tenant read\n  curl -i \"http://target/api/sessions/\u003cvictim-session-uid\u003e\" \\\n    -H \"Authorization: Bearer $ATTACKER_TOKEN\"\n  # Expected (fixed):   HTTP 403/404\n  # Observed (v0.24.1): HTTP 200 + full session JSON\n  ```\n\n## Impact\n  - Cross-tenant disclosure of SSH session data: target username, device UID, remote IP, authenticated status, session type, terminal, position (geolocation), started_at / last_seen timestamps.\n  - Enables reconnaissance of other tenants\u0027 active users and systems; combined with session recording features, can enable deeper recon.\n\n## Suggested fix\n`api/services/session.go` \u2014 apply `InNamespace` in `GetSession`:\n\n  ```go\n  func (s *service) GetSession(ctx context.Context, uid models.UID) (*models.Session, error) {\n      tenant := gateway.TenantFromContext(ctx)\n      opts := []store.QueryOption{}\n      if tenant != nil {\n          opts = append(opts, s.store.Options().InNamespace(tenant.ID))\n      }\n      session, err := s.store.SessionResolve(ctx, store.SessionUIDResolver, string(uid), opts...)\n      ...\n  }\n  ```",
  "id": "GHSA-9w9c-9w8m-w89q",
  "modified": "2026-05-14T20:43:19Z",
  "published": "2026-05-06T23:22:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-9w9c-9w8m-w89q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44423"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/shellhub-io/shellhub"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ShellHub has cross-tenant IDOR in `GET /api/sessions/:uid` that discloses SSH session data"
}

GHSA-9WMC-988H-2MV2

Vulnerability from github – Published: 2024-12-30 15:31 – Updated: 2024-12-30 18:45
VLAI
Summary
TeamPass privileges issue
Details

TeamPass before 3.1.3.1 does not properly prevent a user from acting with the privileges of a different user_id.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "nilsteampassnet/teampass"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-50703"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-472",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-30T18:06:34Z",
    "nvd_published_at": "2024-12-30T15:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "TeamPass before 3.1.3.1 does not properly prevent a user from acting with the privileges of a different user_id.",
  "id": "GHSA-9wmc-988h-2mv2",
  "modified": "2024-12-30T18:45:42Z",
  "published": "2024-12-30T15:31:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50703"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nilsteampassnet/TeamPass/commit/c7f7f809071eaa9e04505ee79cec7049a42959e9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nilsteampassnet/TeamPass"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nilsteampassnet/TeamPass/compare/3.1.2...3.1.3.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nilsteampassnet/TeamPass/compare/3.1.3...3.1.3.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "TeamPass privileges issue"
}

GHSA-9XVX-2953-C58G

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32
VLAI
Details

A broken access control vulnerability exists in lunary-ai/lunary versions 1.2.7 through 1.4.2. The vulnerability allows an authenticated attacker to modify any user's templates by sending a crafted HTTP POST request to the /v1/templates/{id}/versions endpoint. This issue is resolved in version 1.4.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7476"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-20T10:15:36Z",
    "severity": "MODERATE"
  },
  "details": "A broken access control vulnerability exists in lunary-ai/lunary versions 1.2.7 through 1.4.2. The vulnerability allows an authenticated attacker to modify any user\u0027s templates by sending a crafted HTTP POST request to the /v1/templates/{id}/versions endpoint. This issue is resolved in version 1.4.3.",
  "id": "GHSA-9xvx-2953-c58g",
  "modified": "2025-03-20T12:32:46Z",
  "published": "2025-03-20T12:32:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7476"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lunary-ai/lunary/commit/8f563c77d8614a72980113f530c7a9ec15a5f8d5"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/183761f7-d411-4332-af86-2ccfbcc5bd9f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9XWG-HW64-86P3

Vulnerability from github – Published: 2024-12-04 12:31 – Updated: 2024-12-04 12:31
VLAI
Details

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.4 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private and draft posts created by Elementor that they should not have access to.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10787"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-04T09:15:04Z",
    "severity": "MODERATE"
  },
  "details": "The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.4 via the \u0027elementor-template\u0027 shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private and draft posts created by Elementor that they should not have access to.",
  "id": "GHSA-9xwg-hw64-86p3",
  "modified": "2024-12-04T12:31:44Z",
  "published": "2024-12-04T12:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10787"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3198563%40lastudio-element-kit\u0026new=3198563%40lastudio-element-kit\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2e63c0fb-7fe7-42f7-8fa9-ec159d3c8117?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C273-C6VG-4PV5

Vulnerability from github – Published: 2022-05-24 00:01 – Updated: 2023-08-25 22:03
VLAI
Summary
Publify has Improper Access Controls
Details

A low-privileged user can modify and delete admin articles by changing the value of the article[id] parameter prior to 9.2.9.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "publify_core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.2.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-1810"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639",
      "CWE-732"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-02T20:38:50Z",
    "nvd_published_at": "2022-05-23T12:16:00Z",
    "severity": "MODERATE"
  },
  "details": "A low-privileged user can modify and delete admin articles by changing the value of the `article[id]` parameter prior to 9.2.9.",
  "id": "GHSA-c273-c6vg-4pv5",
  "modified": "2023-08-25T22:03:08Z",
  "published": "2022-05-24T00:01:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1810"
    },
    {
      "type": "WEB",
      "url": "https://github.com/publify/publify/commit/c0aba87844d1e47da50c0d99a3465164a4d244ce"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/publify/publify"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/publify_core/CVE-2022-1810.yml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/9b2d7579-032e-42da-b736-4b10a868eacb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Publify has Improper Access Controls"
}

GHSA-C29F-JM2C-8VV7

Vulnerability from github – Published: 2023-04-24 21:30 – Updated: 2024-04-04 03:39
VLAI
Details

The WP FEvents Book WordPress plugin through 0.46 does not ensures that bookings to be updated belong to the user making the request, allowing any authenticated user to book, add notes, or cancel booking on behalf of other users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-1129"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-24T19:15:09Z",
    "severity": "MODERATE"
  },
  "details": "The WP FEvents Book WordPress plugin through 0.46 does not ensures that bookings to be updated belong to the user making the request, allowing any authenticated user to book, add notes, or cancel booking on behalf of other users.",
  "id": "GHSA-c29f-jm2c-8vv7",
  "modified": "2024-04-04T03:39:59Z",
  "published": "2023-04-24T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1129"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/d40479de-fb04-41b8-9fb0-41b9eefbd8af"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.